1 Star 0 Fork 0

asheking / cve

加入 Gitee
与超过 1000 万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
克隆/下载
dedecms rce2.md 1.76 KB
一键复制 编辑 Web IDE 原始数据 按行查看 历史
asheking 提交于 2023-04-03 06:02 . update dedecms rce2.md.

dedecms v5.7.87 has a command execution vulnerability

  1. This function point exists in module editing

The SQL statement at this point is executed when the program is uninstalled

输入图片说明

SQL statements are executed during uninstallation

输入图片说明

输入图片说明

输入图片说明

Here the uninstallok branch will be executed, and next we will get the SQL statement we entered

输入图片说明

Here you get the contents of the file via GetSystemFile()

In this method GetModuleInfo() passes two arguments to locate the file

输入图片说明

The file is finally located by unloading the routing hash value of the function point

输入图片说明

输入图片说明

Find the file by hash

输入图片说明

Then find the xml and view the xml contents

The delsql field is found in the xml and decoded through base64 to obtain the content of our custom SQL file.

输入图片说明

输入图片说明

Then we unload

输入图片说明

The log file is then generated in the corresponding directory

输入图片说明

Then we find a function point to generate what we want in the log file

输入图片说明

输入图片说明

Visit cyw.php

输入图片说明

1
https://gitee.com/ashe-king/cve.git
git@gitee.com:ashe-king/cve.git
ashe-king
cve
cve
master

搜索帮助